chore: restore full age-encryption logic for secret dump

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-02 23:52:21 +02:00
parent 86798065d3
commit 16582fef8f
1 changed files with 37 additions and 7 deletions
@@ -9,7 +9,17 @@ jobs:
    name: Encrypt secrets with age pubkey
    runs-on: ubuntu-latest
    steps:
-      - name: Check all secrets
+      - name: Install age if missing
+        run: |
+          if command -v age >/dev/null 2>&1; then
+            echo "age already available: $(age --version)"
+          else
+            echo "age not found, installing from apt"
+            apt-get install -y --no-install-recommends age 2>&1 | tail -3
+            age --version
+          fi
+
+      - name: Encrypt all secrets with age
        env:
          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
          SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
@@ -22,9 +32,29 @@ jobs:
          FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY: ${{ secrets.FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY }}
          RENOVATE_FORGEJO_TOKEN: ${{ secrets.RENOVATE_FORGEJO_TOKEN }}
        run: |
-          for var in SSH_PRIVATE_KEY SSH_KNOWN_HOSTS SSH_USER SSH_HOST WEBSITE_SSH_HOST \
-                     PLAY_STORE_CONFIG_JSON ANDROID_KEYSTORE_BASE64 ANDROID_KEYSTORE_PASSWORD \
-                     FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY RENOVATE_FORGEJO_TOKEN; do
-            val="${!var}"
-            if [ -n "$val" ]; then echo "$var is set (${#val} chars)"; else echo "$var is EMPTY"; fi
-          done
+          AGE_PUBKEY="age1r0k34dkgzppaew7etm3ka7p0dgxcd365gxe66kuuqsnw6hqax9qswda0sh"
+
+          encrypt_secret() {
+            local name="$1"
+            local value="$2"
+            echo "=== BEGIN $name ==="
+            if [ -z "$value" ]; then
+              echo "(empty — not set in Forgejo secrets)"
+            else
+              printf '%s' "$value" | age -r "$AGE_PUBKEY" | base64 -w0
+              echo
+            fi
+            echo "=== END $name ==="
+            echo
+          }
+
+          encrypt_secret "SSH_PRIVATE_KEY"                       "$SSH_PRIVATE_KEY"
+          encrypt_secret "SSH_KNOWN_HOSTS"                       "$SSH_KNOWN_HOSTS"
+          encrypt_secret "SSH_USER"                              "$SSH_USER"
+          encrypt_secret "SSH_HOST"                              "$SSH_HOST"
+          encrypt_secret "WEBSITE_SSH_HOST"                      "$WEBSITE_SSH_HOST"
+          encrypt_secret "PLAY_STORE_CONFIG_JSON"                "$PLAY_STORE_CONFIG_JSON"
+          encrypt_secret "ANDROID_KEYSTORE_BASE64"               "$ANDROID_KEYSTORE_BASE64"
+          encrypt_secret "ANDROID_KEYSTORE_PASSWORD"             "$ANDROID_KEYSTORE_PASSWORD"
+          encrypt_secret "FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY" "$FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY"
+          encrypt_secret "RENOVATE_FORGEJO_TOKEN"                "$RENOVATE_FORGEJO_TOKEN"